OTTAWA — Canada’s privacy commissioner says the discrepancy between the number of data breaches reported to her office and the number that take place in the public service is high enough to suggest departments aren’t consistently applying reporting rules and are putting Canadians’ information in danger.

Jennifer Stoddart said in an interview Wednesday that not all the 3,134 reported breaches over the last 10 years have been significant, but she couldn’t say for certain because only 403 cases — just less than 13 per cent of all incidents — were reported to her office.

“I would not be surprised (if) a significant number of these incidents did or could have had consequences for Canadians and probably should have been reported,” Stoddart said. “This is kind of like the Titanic of personal information in the federal government.”

Data losses at federal departments have come under greater scrutiny since late last year over concerns about privacy breaches at Veterans Affairs Canada, and, more recently, two breaches at Human Resources and Skills Development Canada. Combined, these breaches could have exposed the personal information, including social insurance numbers, of more than 588,000 Canadians — more than half of the just over one million Canadians affected by privacy breaches over the last 10 years.

During the 2012-2013 fiscal year, departments reported more than 100 breaches to Stoddart’s office — an all-time high and a 25 per cent increase over the previous fiscal year. However, since reporting isn’t mandatory for departments, Stoddart’s office wasn’t able to say whether the increase was a result of more breaches, or better reporting practices.

Over the last 10 years, 3,134 information and data breaches have affected at least 1,075,313 individuals, according to documents tabled in Parliament this week. HRSDC had 885 breaches since 2002, reporting 62 of them to the privacy commissioner, while Correctional Service Canada reported 147 of the 894 breaches.

The number of affected people, however, is likely higher as one department, the Canada Revenue Agency, didn’t provide any figures and others, such as Correctional Services Canada, listed as “unknown” the number of people affected by a single breach. Statistics Canada listed the number of households and businesses affected by each breach, but couldn’t give more precise numbers. (Stoddart’s office is currently auditing the Canada Revenue Agency over multiple reports of employees inappropriately accessing taxpayer information in recent years.)

The Department of National Defence didn’t provide numbers for breaches of classified or protected information, citing security reasons.

The list is also incomplete because some departments only have data dating back four or five years. Health Canada, for instance, didn’t maintain records of data breaches before 2008, and the RCMP’s data dates from 2010 because the force destroys information two years after the last action on the file.

Stoddart suggested that many of the incidents may never have happened had the government implemented recommendations from her office, submitted to a House of Commons committee in 2008 and 2009, including legislating reporting of privacy breaches and proper security safeguards for handling personal information.

“Had they been acted on, I think Canadians’ personal information would have been a lot safer,” Stoddart said.

Under questioning in the House of Commons Wednesday, the government defended itself from NDP accusations that the Tories weren’t doing enough to protect personal information from being leaked.

“Whenever there is a breach of privacy, the government has responded,” Prime Minister Stephen Harper said in French. “We have established action plans for various departments to ensure the protection of privacy and (take) immediate action in cases where there is a breach.”

Some departments are more militant about reporting information than others. For instance, National Defence and Aboriginal Affairs reported all of their identified breaches, according to the documents, but their numbers are small: six breaches apiece.

Citizenship and Immigration Canada reported almost every data breach that occurred — even if only one person’s information was lost. That changed in 2012, when reporting a breach to the privacy commissioner became a rare occurrence.

From 2002 until 2011, CIC reported 18 of 20 data breaches to the privacy commissioner. Of the 160 breaches recorded in 2012, only five were reported to the privacy commissioner.

In an emailed statement Wednesday evening, the department said that the difference in numbers are a result of tracking all privacy breaches, not just those that were reported to the privacy commissioner or considered serious. The new guidelines laid out that unless there is a “serious risk of identity theft” and “is expected to raise serious concerns” among the public or could bring “harm to (an) individual,” the breach could be resolved internally. Low-risk breaches were identified as those involving between one and four people; high risk was for any incidents with over nine people.

“The new standardized approach allows CIC to be more efficient and thorough in dealing with and mitigating privacy breaches,” spokesman Erika-Kirsten Easton said in an email. “It is important to acknowledge that CIC deals with an enormous volume of correspondence. The number of related reported breaches is quite low.”

Similar patterns exist in other departments, according to the documents tabled in Parliament on Monday, such as Passport Canada, which reported 13 of the 174 privacy breaches to the privacy commissioner.

Stoddart’s annual report, due to be released in the fall, will focus on the increasing importance of information security and modernizing privacy laws to update what she called outdated punishments and incentives for departments to invest in proper security safeguards.

“We know from polling that Canadians are concerned about this, so we hope that with this report we’ll see a strengthening of the government’s handling of information,” she said.